General
-
Target
SecuriteInfo.com.Trojan.PWS.Siggen3.25377.4475.28909.exe
-
Size
986KB
-
Sample
230120-ll3azsfd2t
-
MD5
6e5115b82add4232a34a31059a96deec
-
SHA1
a54298038f05690b0f6d4cdfcd29f3af0784491a
-
SHA256
f81832eab926f0dfe31ac63017cb7f6d8fb933e31f6d8742f94a5cecf012bab1
-
SHA512
052a440c0e7f3dc7d9a85a43673d3bfd95709bb9ee04c028426ebb5657d3c153027ecc53a829c6acfbea1fbfa199273e8fcb0d6cd852db3f48a17d84dd93f09c
-
SSDEEP
12288:++f8MXWVAqNm4bujqYcWo2XJ4L9JkGYjRq0lbKSPJO16uV2AnJV4ilzP1:+AqN/bicB2XGL36JKkKz4OP1
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PWS.Siggen3.25377.4475.28909.exe
Resource
win7-20221111-en
Malware Config
Extracted
netwire
212.193.30.230:6063
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
TestLink.lnk
-
lock_executable
false
-
offline_keylogger
false
-
password
Password123@
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
SecuriteInfo.com.Trojan.PWS.Siggen3.25377.4475.28909.exe
-
Size
986KB
-
MD5
6e5115b82add4232a34a31059a96deec
-
SHA1
a54298038f05690b0f6d4cdfcd29f3af0784491a
-
SHA256
f81832eab926f0dfe31ac63017cb7f6d8fb933e31f6d8742f94a5cecf012bab1
-
SHA512
052a440c0e7f3dc7d9a85a43673d3bfd95709bb9ee04c028426ebb5657d3c153027ecc53a829c6acfbea1fbfa199273e8fcb0d6cd852db3f48a17d84dd93f09c
-
SSDEEP
12288:++f8MXWVAqNm4bujqYcWo2XJ4L9JkGYjRq0lbKSPJO16uV2AnJV4ilzP1:+AqN/bicB2XGL36JKkKz4OP1
Score10/10-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-